[gptalk] Re: GPO Permissions

  • From: Neil Berry <neil@xxxxxxxxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Fri, 01 Feb 2008 13:43:11 +0000

That's just what I need :)

Thanks Jakob !

Jakob H. Heidelberg wrote:
Well, you are mentioning the important ones. There's a minor difference
between 2000 and 2003/2008 permission requirements.

You should take a deeper look at the defaultSecurityDescriptor entry, KB
321476 - this entry handles permissions on newly created GPOs - so it's
"knows" what's neede :)


Have fun!
/Jakob H. Heidelberg

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Neil Berry
Sent: 1. februar 2008 11:30
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO Permissions

Hi all,

I wonder if anyone could help me with this. I am trying to reduce access to the GPOs in a specific environment and want to trim the permissions to a minimum without breaking anything !

I was intending to reduce permissions to the following

Authenticated Users : Read
Domain Admins: Full control
Enterprise Admins: Full Control
Group Policy Creator: Edit, delete, modify

But it looks like the following might be required ?

System : Full control
Enterprise Domain controllers: read

Are there any other specific permission requirements that anyone knows about for particular policies ?

Thanks for any thoughts.
Neil



***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************



***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: